SSH CA + gpg-agent + gnuk => error

NIIBE Yutaka gniibe at
Fri Oct 18 13:50:21 CEST 2019

Brennecke, Simon wrote:
> I have a question regarding the interaction of SSH with gpg-agent
> (and possibly also gnuk).
> So I generated a new ECC key in gnuk, imported the public keys in gpg.
> Added the keygrip everything to "~/.gnupg/sshcontrol"

Just FYI, for smartcard, adding a keygrip in sshcontrol is not needed,
if it is OK for your gpg-agent to just fail for signing request when
smartcard is not available.

> "ssh-add -L" shows me the key.
> I signed it with the CA.
> ssh tries to use the key...
> ... and this is where the error pops up.
> ssh tells me:
> sign_and_send_pubkey: signing failed: agent refused operation
> and gpg-agent tells me:
> gpg-agent[21629]: ssh request handler for sign_request (13) started
> gpg-agent[21629]: DBG: detected card with S/N D276000124010200FFFE430322340000
> gpg-agent[21629]: smartcard signing failed: General error
> gpg-agent[21629]: ssh sign request failed: General error <GPG Agent>

I don't think it is related to OpenSSH certificate.  For some reason,
possibly a bug, smartcard singing failed.  You can configure
.gnupg/scdaemon.conf with something like:
debug-level guru
log-file /run/user/1000/scd.log
to see what's going on.

			*	*	*

Here is another information, related.

OpenSSH certificate authentication doesn't work well with gpg-agent
(yet).  Ideally, OpenSSH certificate should be under control of

For detail, you can see:

Protocol-wise, for gpg-agent, it is expected that the ssh does:

  * ssh askes ssh-agent (in our case, gpg-agent) to get OpenSSH
    certificate by REQUEST_IDENTITIES command

  * (only after) REQUEST_IDENTITIES command, ssh askes ssh-agent
    challenge-response by SIGN_REQUEST command

But the first part does not occur by current OpenSSH client.  The client
by itself answers back to the server using the certificate on disk
(under .ssh/), without asking ssh-agent.

More information about the Gnupg-users mailing list